vbisbest
commented
4 years ago I am not sure about encoding the whole payload. For instance this simple payload: <IMG SRC=\"javascript:alert('XSS')\" note:the lt is getting encoded to < here
You need to encode this payload because of the spaces, however doing so, modifies the < and encodes that (turns into %26lt%3B%0A). Thoughts.
Are these payloads expected to be encoded before sending? For example, the request will fail if you do not encode spaces in the query string. However encoding the query string will change the other values that may be required for the attack to work. Thoughts? Thank you.